Explain Certbot's HTTPS redirect configuration

Question

Can someone explain why Certbot is using the following redirect configuration

server {
    if ($host = example.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    server_name example.com;
    listen 80;
    return 404; # managed by Certbot
}

instead of simply this one?

server {
    server_name example.com;
    listen 80;
    return 301 https://$host$request_uri;
}

server_name basically says that this config only applies to example.com, so $host can never be anything different, or am I missing something?

score 9 · Accepted Answer · answered Jul 31 '22 at 18:46

I think the catch here is that if this happens to be the first server for this address/port combination, and no other server for this address/port has the default_server parameter, this server would become the default server, acting as a catch-all for unknown hosts.

See the request processing documentation for an overview, as well as the listen documentation for some specifics on the default server behavior:

The default_server parameter, if present, will cause the server to become the default server for the specified address:port pair. If none of the directives have the default_server parameter then the first server with the address:port pair will be the default server for this pair.

Correct. [This was actually done to fix a security vulnerability.](https://community.letsencrypt.org/t/security-issue-with-redirects-added-by-certbots-nginx-plugin/51493) — Matt Nordhoff, Aug 01 '22 at 07:39

Explain Certbot's HTTPS redirect configuration

1 Answers1